Follow up for #2713 - Content Security Policy allows embedded content from Youtube and Vimeo.

2020-03-06 09:27:42 +01:00 · 2020-03-06 09:27:42 +01:00 · 3c73022272
commit 3c73022272
parent 77e096e211
5 changed files with 5 additions and 4 deletions
--- a/app/assets/javascripts/app/controllers/knowledge_base/reader_controller.coffee
+++ b/app/assets/javascripts/app/controllers/knowledge_base/reader_controller.coffee
@ -115,7 +115,7 @@ class App.KnowledgeBaseReaderController extends App.Controller
      # coffeelint: disable=indentation
      url = switch settings.provider
            when 'youtube'
-              "http://www.youtube.com/embed/#{settings.id}"
+              "https://www.youtube.com/embed/#{settings.id}"
            when 'vimeo'
              "https://player.vimeo.com/video/#{settings.id}"
      # coffeelint: enable=indentation
--- a/app/helpers/knowledge_base_rich_text_helper.rb
+++ b/app/helpers/knowledge_base_rich_text_helper.rb
@ -38,7 +38,7 @@ module KnowledgeBaseRichTextHelper

      url = case settings[:provider]
            when 'youtube'
-              "http://www.youtube.com/embed/#{settings[:id]}"
+              "https://www.youtube.com/embed/#{settings[:id]}"
            when 'vimeo'
              "https://player.vimeo.com/video/#{settings[:id]}"
            end
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@ -35,6 +35,7 @@ Rails.application.config.content_security_policy do |policy|
  policy.object_src  :none
  policy.script_src  :self, :unsafe_eval, :unsafe_inline, :strict_dynamic
  policy.style_src   :self, :unsafe_inline
+  policy.frame_src   'www.youtube.com', 'player.vimeo.com'
 end

 # If you are using UJS then enable automatic nonce generation
--- a/spec/system/knowledge_base/locale/answer/edit_spec.rb
+++ b/spec/system/knowledge_base/locale/answer/edit_spec.rb
@ -43,7 +43,7 @@ RSpec.describe 'Knowledge Base Locale Answer Edit', type: :system, authenticated
      visit "#knowledge_base/#{knowledge_base.id}/locale/#{primary_locale.system_locale.locale}/answer/#{published_answer_with_video.id}"

      iframe = find('iframe')
-      expect(iframe['src']).to start_with('http://www.youtube.com/embed/')
+      expect(iframe['src']).to start_with('https://www.youtube.com/embed/')
    end
  end
 end
--- a/spec/system/knowledge_base_public/answer_spec.rb
+++ b/spec/system/knowledge_base_public/answer_spec.rb
@ -13,7 +13,7 @@ RSpec.describe 'Public Knowledge Base answer', type: :system, authenticated: fal
      visit help_answer_path(primary_locale.system_locale.locale, category, published_answer_with_video)

      iframe = find('iframe')
-      expect(iframe['src']).to start_with('http://www.youtube.com/embed/')
+      expect(iframe['src']).to start_with('https://www.youtube.com/embed/')
    end
  end
 end